Helping your employees to understand the role that security plays in their daily working lives will help you to manage risk more than a 100-page security policy ever could.
No amount of technology will ever remove the reality that employees often pose your greatest security risk.
A recent study with 145 security leaders in SMBEs in EMEA region showed that 80% of organizations had been hit by an attack in the past year, 74% cliamed the frequency of attacks is increasing and 72% said the cost of email-related breaches is rising.
With more workplace tools available to them than ever before, and promises of greater mobility, it can be hard for employees to appreciate the risks.
Unfortunately, imposing rigid security policies typically backfires. Quite rightly, business users want to work productively and with as little hindrance as possible. Ask too much and users will always find ways to circumvent the controls that the IT team have put in place.
That’s why it’s so important to balance the availability of your productivity apps with a well-rounded “culture of security”.
No matter how detailed, no security policy can ever cover all potential scenarios. Instead, building a culture of security means enabling employees with a wider appreciation of how security aligns to the wider business and how it enables greater success.
A survey for the UK government last year suggested that in companies where security was well understood and respected by senior management, the wider staff population also took it more seriously.
Engage with every team member to help them better understand the role that security plays in their working life. With multiple productivity tools and apps at their disposal, help them to appreciate how different tools, types of content, and behavior, carry different levels of risk.
Security might not seem immediately relevant to all of your employees. Don’t just focus on the big stuff; provide practical examples of how the day-to-day working lives of different roles in your business might come across scenarios where security should be considered.
The IT team can’t do everything, so appoint individuals in different departments to act as a liaison. They’ll be closer to the decisions made by business units on a daily basis, and with a more detailed understanding, (and direct responsibility), they’ll be able to support better on-the-ground decision making.
Putting your staff through an hour-long training session every year might be enough to check-off your compliance requirements, but it won’t be enough to build a culture of security.
Look at regular, more subtle workplace sessions to educate the workforce. You might even look to gamification! Try the occasional internal quiz and reward your stars!
If you have any other ideas to help build a culture of security in a fun and engaging way. I’d love to heart them!
Morten Brøgger, CEO, Wire